unknown RPC opcodes during join+logon
Vijay Kota
vijay at spinnakernet.com
Fri Sep 20 00:44:38 GMT 2002
But if there is no servicePrincipalName attribute, TGS_REQ for
"cifs/foobar at WINDOWS2000.SPINNAKERNET.COM" fails. So my clients are
not able to get the appropriate Kerberos ticket. (KDC returns
PRINCIPAL_UNKNOWN)
Have I done something incorrectly? Here's my setup:
ldapsearch -Y gssapi -X u:administrator samaccountname=foobar$ \
altsecurityidentities serviceprincipalname
Output:
dn: CN=FOOBAR,CN=Computers,DC=windows2000,DC=spinnakernet,DC=com
altSecurityIdentities: Kerberos:
cifs/foobar at WINDOWS2000.SPINNAKERNET.COM
Regards,
Vijay
-----Original Message-----
From: samba-technical-admin at lists.samba.org
[mailto:samba-technical-admin at lists.samba.org] On Behalf Of Luke Howard
Sent: Thursday, September 19, 2002 4:02 PM
To: vijay at spinnakernet.com
Cc: samba-technical at lists.samba.org
Subject: RE: unknown RPC opcodes during join+logon
>But here are the results I got with changes to Samba:
> Odd name: <credential><4-byte flags = 0x0007ffff>: Access Denied
> Even name: <credential>,0x6B,0,<flags=0x0007ffff>: Access Denied
> Odd name: <credential><flags = 0x000001ff>:
> Success but "servicePrincipalName" attribute in Active
> Directory disappears
> Even name: <credential>,0x6B,0,<flags=0x000001ff>:
> Success but "servicePrincipalName" attribute in Active
> Directory disappears
I'm ont sure about the 0x6B but I would think that servicePrincipalName
disappearing would have something to do with Active Directory presuming
that downlevel clients (which negotiate 0x1ff) do not support Kerberos,
and thus do not have a servicePrincipalName. You might try using the
altSecurityIdentities attribute instead, eg:
altSecurityIdentities: Kerberos:cifs/foobar.windows2000.spinnakernet.com
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the samba-technical
mailing list